tv The Darkening Web CSPAN August 26, 2017 8:01am-9:31am EDT
to say the least. we have terrific people here today for all these questions. alexander klimburg as i mentioned has really written a book on this called "the darkening web" turkeys a senior fellow with the council cyber statecraft initiative. is a program director at the hague center for strategic studies, an associate fellow at the austrian institute european policy.
the welcome, alex. delighted to have you. ceo of north america, former deputy secretary of the department of homeland security and one of the most knowledgeable in the whole arena. and was write at the heart of many of the debates use government has. again, welcome, jane holl lute. laura galante come most recent addition to the cyber is good initiative. previously director of global intelligence at fire i which is one of the premier cybersecurity firms i would say in the whole world. welcome very much. and then tal kopan, joining us today. he will do the moderation. she's a political reporter for cnn focus on cybersecurity as well as other national security topics. i think with a great group. we have fundamental questions that span a white set of issues. with that let me turn it over to
alex. he's going to give you a summary of some of these issues, some discussion from his book and just lay out some things that men the panel can get into with respective moderation. so alex, i invite you up. >> thank you, frank. it's a great pleasure to be here you come very proud of my affiliation with atlantic council. my affiliation is hard but i think i spent more time atlantic council that i do there. i truly value display centigrade for its commitment to transatlantic values of think it's very clear right now those values mean a lot with the military alliances were even governments. they also included very impressive commitment to gender balanced to grab a fantastic panel and to stop it easy to get such impressive assortment of folks in cyber. i think we'll be talking quite a bit about values and i will have a chance to get into the weeds during our actual discussion later on. i want to give you a rough outline of what i think some of
the main and pertinent points in my book apart. namely, the u.s. in particular but the west in general they often concentrate on seeing cybersecurity as a technical issue and a worse cyber airfare -- side will for issue like countries like russia and china concentrate on cybersecurity as a psychological issue and a worst information warfare problem. the consequence of this is where in the middle, on the journey we might see the global internet, may be one the most transformative inventions since the invention of the wheel from my point of view. what most people would consider to be a universal good advance our personal freedoms that we might see this universal good transform into something quite a lot darker come something that is used to suppress individual freedoms but also potentially to become one of a medium of control. this is a nightmare for some individuals but for others it is a dream. they are pursuing with vigor.
the dreams and nightmares are useful analogy for security threats. i once conducted an experiment at harvard with some of our students to try to figure out what is more common, nightmares or common dreams. we came to the conclusion people tend to have different dreams of what something should be but they have, nightmares they are afraid of. this is one of the reasons why strategic arm talks on nuclear weapons had a good point of departure. there was one single nightmare we were all afraid of that one mushroom cloud that really bounced east and west together and basically make sure we had a proper honest discussion on the existential threats that we wanted to avoid it. we don't have that in cyberspace. we don't have a single nightmare that both sides equally. so the west, the most common fear is cyber war narrative, of effectively cyber warfare occurring due to inadvertent
escalation. that's accidental war or once conflict starts they could spiral out of control due to the unknowns we can't assess. aside society that as i thrown back to the 1950 the 1950s or tt iron age-dependent on a gloomy you actually are. but for others this isn't the worst possible outcome. this isn't what they fear the worst. the most. the most realistic physical threat is that their own existence. they see the internet is primary to being a means to encourage dissent, to undermine the rule, to allow for nations including the u.s. to interfere in domestic affairs. for them the most realistic threat is not cyber get on friday type of connecticut attack but effectively that there will be undermine through some type of uprising plants and connected to the internet and that will quite physically be a threat to them personally.
they are much more concerned with matters that relate to governments and law enforcement than they are with, for instance, fixing application of international law, the cyberspace. i call them cybersecurity faction, i have a simple goal. they want to fund and will change the way the internet is currently run which is by loosely linked actors in the civil society, the private sector and governments. that's the order of priority because civil society has coded most of the internet. the private sector builds and maintains it and government can blow things up and they can spy on thanks. the groups want to move the control of as it is amongst as many different actors towards a model that is dominated by government. they want to move it away from the californian registered nonprofit but is there internationally minded which
runs conference it's a big part of the domain name service which is something called the telephone book of internet. the reason why they want to do this because only ace information as a weapon. in one of the building through control of different parts of the unit to enact the law enforcement regime that would effectively enable think seven such as blocking translated copies of the "new york times" or taking down websites or similar things of that nature. they see the internet primarily as a threat and a see the control of the internet as the only way to ensure their own regimes of billy. so the key to accomplish this is to articulate a rethink aware of governments see the role in cybersecurity, particularly in the west. so the russians have been encouraging this type of rethink since the late 1990s. they've been introducing a bill on the code of conduct in the u.n. general assembly and many other different ways they are pursuing this. they are hindered in this attempt primarily by the way the internet really works which
means it is difficult to simply say we have no form a u.n. agency the takings over. they are also helped by the fact every single time there's a cyber attack on every single time there's a report of supposed u.s. malfeasance in cyberspace, the agenda is advanced again. the agenda is advanced in the direction didn't like to have it which is on one of the inner governmental solution and not a multi-stakeholder solution. comparing cyber as a strategic disable or to a nuclear time. the state discussions between east and west on this issue roughly around the 1960s. we're still figuring things out but he cautions putting too much stock in the spirit of because the actors involved are just too dissimilar. in the case of nuclear weapons it was pretty clear who we need to have in the room. today while governments in the room but who decides if it's facebook, google, who also supposed been the room? governments don't play that big
role in cyberspace. and, therefore, decide you will should be in the room and the intergovernmental discussions part of the problem. the biggest problem is the discussion itself. by having governments as an arbitrator and security concerns, the authoritarian states are furthering the objective effectively pushing governments into controlling rule of the internet. it's a sticky problem. the more i try to push the issue away, the government stands up and says the more we defend the multi-stakeholder form of running the internet, the more the same time governments are taking up too much of a plate n the space, the more their diminishing the rule of the other actors, the furthering of those agendas want to see cyberspace control the governmental organizations. in fact, getting us to do something was, getting governments to do something in cyberspace is very often quite clear if the objective of many of these cyber attacks. just to give you two examples that are pertinent. in 2015 a french tv network went
off air catastrophically for two days, and the perpetrators are supposed to be isis who claim we are cyber jihadist and will strike you now everywhere. two weeks later the french government leaked that they establish it was, in fact, russian military intelligence who had been behind the intrusion and destruction of effectively critical infrastructure. the question was why would they do such a thing? and from my point of view the question was quite obvious, they wanted to have cyber terrorism as an there to pick cyber terrorism hasn't ever could. we have terrorist use of internet. that is a big issue and it's a complete issue but we don't have cyber terrorism yet. this would put cyber terrorism on the agenda and it did. for six months i spent a large portion of my time in europe running after new discussions at the french government had put up regarding cyber terrorism. until 1. the discussion would away from cyber terrorism because in the west one of our
agreements is we don't support the narrative of cyber terrorism because ultimately it means control of content. that's what it means. terrorist use of internet mean something else. another example, you don't have to go back to 2015. look at wannacry. another example of what might be more interesting to basically blow something up and cause a fuss and a political narrative rather than steal data. this is why i keep coming back to how important it is to understand why a cyber attack might be, they might not be simply interested in trying to steal your data or pre-position for war, they might be more interested in pushing a narrative. i narrative, the wannacry successor that we saw in the last couple of weeks has to have include established to be not rancid mcnab no interest in decrypting the system. you can even reach on like the it's simply to destroy things. given the fact their target even
though it was ukrainian or not military essential in any way, what was the purpose? those attacks like other tax i think at the pattern to them. those patterns are simply pushing governments to do something in cyber by effectively grabbing the narrative of the narrative is also construed very much about security issues. issue. just to give another example, theresa may in the uk after the uk terror attacks announced she wants the uk to take the leading role in the regulation of control of data, and even didn't dismiss comparisons to the chinese way of running the internet. we are in a state, a country that formally referred to as mother of democracies was actually considering level of intrusion that previously only the chinese governments would have considered. luckily, it's not been included in the quaint speech maybe it will not be implemented. in any case that was narrative. our moderator tal kopan wrote
some years ago that are many analogies for cyber and those analogies tell a lot about you when you use them. if you talk about cyber war than you think government might be the answer. if you talk about public health issues, then you might think that some type of model might be the entity you talk about climate change, maybe you think another option is answered. i think all of these models are useful but i think there's one macro problem we should keep in mind above all else. what is the worst possible outcome were trying to avoid for ourselves when we engage in government regulation of behavior on internet? anything we do including, and regulation, treaties, developing cyber capabilities, what is the worst possible outcome were trying to avoid? and that is something i think we haven't talked enough about. for me it is quite simply we need to avoid falling into the trap, explicit trap of information warfare. that effectively notes
weaponization of information. the weaponization of information means cnn, the "washington post", the atlantic council all become pawns in a larger game that effectively sanction only by government. this is a very, very scary vision and is not likely to happen in the next five years or seven is, maybe ten years that it's a possible nightmare. it's a much more likely nightmare and the nightmare of cyber armageddon that kept us on her toes or 50, 60, 70 years. the only way we can avoid this is really having a full commitment multistate kodama about the internet is run. a proper segmentation of how we discussions on cybersecurity issues which need to be highly siloed and separate so they don't contaminate each other as fundamentally endanger the free internet as it is today. without the free internet there there's no free speech and without free speech we don't have any free society. that i'd like to move to our panel. thank you. [applause]
>> so thank you, alex, who now you're all familiar with. my name is tal kopan as introduced, i'm a reporter over at cnn. our other panelists who didn't get a chance but a faced with the name but we have laura galante and then jane holl lute who you heard about earlier. we will just dive right in. fascinating stuff, lots to cover. i think what might be most useful to start with a particular case that perhaps we're all to play with at this point, but the russian meddling in the 2016 election. it's interesting because it's become discussed as some sort of cyber event partially because it involved hacking a personal e-mails with a sophisticated
spear phishing cammy and then dumping those on internet, at a construction of a hacker figure that was used to disseminate these, and then there were separate scanning evidence of voter rolls, one actual breach that has been confirmed and possibly one other, although there were no data exfiltration or changing perhaps. so my question for the panel to get us started is, is it actually useful to think about what happened with the 2016 election as some sort of cyber event? or do we risk limiting public understanding, conversation of what to do about it by viewing it only through that lens? >> maybe i'll jump right in. i don't think anyone use it only as a cyber event. i think people view it and i think there is a broad sense
that yes in fact, this did happen and there is broad outrage but whether or not your outrage miss you to action is a completely separate story. what do you do about what you know? what do we do as a country with what we know? this brings us to the heart of alex is book and i think frank also framed the question really very well. the internet was envisioned by its founders and we all know them. they never imagined the evil to which the instrument might be put. but it has been put. the internet represents such a universal good for so many pickets empowering, uplifting, informing, connecting, the miniaturizing. it's really a universal good. the next question, who will keep it good? so maybe the russian hacking of the u.s. electoral system and the intrusions into our electoral system, none of us thought it would happen. i think we all, it was in the
realm of the unimaginable but i think it does for many focus the mind now who will keep the internet good. >> laura, thoughts? >> i would add a bit to her points. i think the 2016 example and the russian interference and the 2016 election shows us is the clash that alex details so well and artful in your book, which is we had this information security layout of our country's will use russia and china but particularly russia sort of the thought leader in this sea information as the main currency of what cyberspace is about. we had this other side, the free internet faction here to lead by the u.s. where we're thinking about cyber and more of a technical realm. what 2016 signified in a huge way is two ships passing in the night on how to think about the problem. so russian spent a good 16 years at the point is that more
articulating how information security works in the russian mindset come protecting this information here, think about information as a weapon and also something that needs be used to protect people domestically. they have been advocating the sovereignty approach saying cyberspace as a place that can be sovereign. when you're willing to say that and you're putting that out in the u.n. year after year and the u.s. is doing its best to ignore that or at least disagree with sovereignty as a principal in cyberspace because it goes against so much of the principles that jane was her particularly on how the use cc internet. when you have is to give abuse of sovereignty and then the dnc is network gets hacked by the russians and a move that would bridge the sovereignty of euros in a way that russia sees sovereignty in cyberspace then you really upping the challenge for how the u.s. government can start to address this. it's putting us by that the
center of this debate of what we want our national cyberspace policies to look like but more largely how should states exhibit power in this debate and how do you find the domain? another much a book and started to unpack some of those questions and to think we're finally, starting to do with us to get a mindset since you a real example over the last year. >> alex, i thought it was very apropos your book starts with term, terminology become such an essential component of this. and to give you a chance response, as laura brought up in terms of when you think about how do you respond come you talk of information warfare and what we are witnessing how sometimes the response template directly into the hands of the person or cursing the defense, how do you start to think about if you're on the receiving end of one of these campaigns? >> so i think there is the
general constant we need to come back to is that operation is not going tactically or operationally significant, it might not only be about achieving the tools and system for stealing data or prepositioning for war but it might also have a very clear little objective. this is something that is more in line with how the kgb and soviet union consented its military strategic thought experiment rather than at the westwood constructor jia thought experiment pixel it is i've been in west highly constrained issue, that is that is caught in a couple of boxes on the military level, fairly low down is not seen as a strategic paradigm. russia and china has been seen as most strategic paradigm so it's just a way a lot of these guys have been raised. they see it naturally. the warfare point, think it's a board we come back to what can be done about it and how should review it, the european
interested. the europeans, the estonians, the scandinavians and the german will say to the americans look, we've been putting up with this for the last five or seven years. this is nothing new. the level of it has ramped up massively but if you look at a country like sweden, sweden has been undergoing cyber information warfare campaign that puts the u.s. to shame. it has everything in it, threats to individuals, blackmail, smearing people, overt military threat. everything was there. what happened? effectively, if i get the numbers right, the approval rating for joining nato, sweden being neutral, went from 16% to 49% and now they're reintroducing the draft. so we fail. whatever the objective was it probably failed. why was a successful in the u.s.? when it failed in france, germany, estonia, denmark and sweden. actually a lot of of the countries one could add to the
slaves and this is one thing i only dressed the tail end of my book simply because it happened right after i finished writing it, but is quite easily, if you look at two numbers that it puts in the back you can see with the level of trust in u.s. institutions were. when only 20% of u.s. public thought tha the mainstream medis doing a good job and only 6% think the company is doing a good job, then it cannot be a real spies use is a very soft target. the question should be why was a such a low level of trust in these critical institutions? you can't find anything like that in the western european nations, not even eastern european nations. this was for me the clear point we have not sufficiently addressed, how can we even have an approval rating of 6%? china used to say for instance, economic growth dropped below 8.5% then would be mass unrest. now they've lowered it to 8%, 7% because the world has it in for
them. but fundamentally bit of thing they could get by with 20 or 30 or 40% approval rating. 6%? no democracy can survive that. how did we get to that 6% approval rating? >> i think i want to push back on this. i take a backseat to nobody i make you that the united states is exceptional. in this respect we are not particularly exceptional that the public is angry. frankly, the public of you are around the world is angry whether it real, istanbul or in the streets of london, paris or in the united states. the occupy movement for many was sort of a manifestation of this, sort of undirected, unguided, i'm mad as hell and i'm not going to take it anymore. i think it's fair to say the publics trust in institutions globally has collapsed. we don't trust businesses can we
don't trust businesses. we don't trust the markets. various institutions react with a range of emotions themselves. the media is indignant that we don't trust them. why don't you trust us? why should we care what you think? we really have come institutions had to go back to fundamental principles. here's why you should care what an independent observer seeking out the facts is presenting to you. but i'm not arguing our media is perfect but what i am arguing is in the wake of snowden, i traveled a lot back and forth to your and one conversation in berlin was particularly affecting to me. my german counterparts had a very interesting colloquy among themselves. at first they were sort of like, we are so embarrassed. right under our very noses, how could this have happened? others were criticizing their leadership that they were shocked that there was espionage going on even among friends. but then they turned to me and
said, why aren't more americans outraged about edward stoughton? plenty of americans outraged but what we know fundamentally in our system, when we moved to the extreme, our system will correct itself. i've place a lot of faith in the pretty prudent public we have in the united states that we will correct or so. >> they said that's what you'd understand about our political system. when they moved to the edge there is no safeguard. they fought over. i was stunned to hear that. i think we need to look at even this instance of russian hacking interviews election. there will be more of it. there will be others and it will happen another place. we need to understand this fundamental question of trust. how do we architect trust in public spaces? the fact publics everywhere are angry. it's not purpose driven anger. people kill each other with purpose driven anger. this is anxiety-based anger. we are not sure we know how to architect trust. we are not sure we know how to
architect trust in institutions, in public space. that's at the heart of this question. >> alex, how do we get to 6% may be the question is how do we get back to the 15, and congress has done that. you know, actually in the past years congress approval rating has started to pick back up over what john mccain loves to say paid staffers and meaty has ticked down to that level. one of the things you said in the introduction i thought was faceting is this notion that the objective of many of these information warfare campaigns is to consolidate power in government. you mention other governments have expressed this. in france on the eve of the election that a similar episode, some camping e-mails were hacked and a hacker figure emerge on
the internet purporting to all this inside details. france actually in the government had the ability to say the 24 hours before the election meeting you can come with us. many u.s. institutions also operate in france follow these rules because if you operate their you follow the governmental rules. you see what we do, is her something more for the government to do to protect ourselves, where as using the arguing that the exact opposite must be true, so how do you unpack that inherent tension of wanting us to be able to have a national response but almost during complete into the very hands of the objective? perhaps laura, you know, you come from the private sector perspective where fire iv often have as good intelligence as the stuff that has the highest level of classification because we see it on the open market but how do
you start to think about what the role of government, what's the role of society in this response? >> it's a huge question at think if there's an easy answer to it could've written a book -- but at the heart is who do trust in a space that is abstract? one of the lines i really like was cyberspace is an abstraction just like finances. you have to have an interlocutor, whether it's the president, the government, media, what have you to understand what is going on on some larger macro level in cyberspace. i'm not convinced there's an easy answer to say the government holds the cards are all that as the private sector or what have you. the kind of obvious statement is wide the multi-stakeholder model as per through for as long as it has persevered given the ups and
downs in changes in our attribution over the last 15 years, over all these different elements that a change in the time we've all been watching this space. so thinking from a more proactive sense what you think is what you're going to get to, what steps we need to take by what questions do we need to ask of the institutions that currently exist to govern the internet or more broadly translate what's happening to the internet, is who holds what roles and where do they carry forth that role? in the private sector frequently they are looking at whether they are investigating a fortune 500 network where the fbi will not be the first call, or maybe they were the first call also but maybe the private sector is been on it for the last year as a defense client or what have you. but where there's insight coming from industry, what is the right level of oversight or lack of
oversight for how those findings should be shared and how far the findings go. when you're sitting there as the person in a government seat or private seat with first eyes or second eyes on network incident, on malware that step in use before, and something like that, what is your duty to talk about that to the rest of the world, knowing how huge the implications are around this? >> they came out and said we know these russian government hackers and it was intelligence committee that followed suit months later. >> and even in releasing at the time originally back in 2014, the report of this group, and our telly we lost a lot of sleep if this people initial lost a lot of sleep deciding whether we should reveal that we had a judgment that this was russian government a group and the tools behind and other acting, what have you and i contributed to
that conclusion early in 2016 around the dnc hack. these are really weighty questions a lot of different people are dealing with and what are mechanisms that make some of the more predictable with or without government oversight? it's a huge question. >> the trust issue, we keep on coming back to which i think is faceting topic and it will bring you back to what jane said before hand, if we seek trust from a macro, a microlevel, a technical level and we take it up to the love of national response, the are interesting things to be learned. information security, what fireeye and all the other secret coverage to which is called information security works on the trust level. people change information with each other according to the own protocols pick sometimes that information should not be shared because of legal reasons are contractual obligations. trust is most important thing among defenders of internet and guess what, it's what often builds the unit. the internet cannot work without
it. if there wasn't trust between the operator and other pieces, the whole thing would collapse. it is built on trust. there's trust but verify the elements. giveaways are doing that by having additional people involved but it's based upon trust. it's not image of approaching the problem or if a very way of approaching the problem. aas a slightly higher level talking about national responses and trust on a national level, one of the things i argue before this book is done with governments into something called whole of nation response, which is not like whole of government because it includes nonstate actors, is western democracy encourages the cooperation of the nonstate actors. i asked the french government what is a policy in this and they go what? we have a law. you can do it that way but it's probably not going to cover all the bases you want to cover. interesting note by the way the
tv channel that was not air was designated as critical infrastructure, therefore it wasn't an act of war for so to knock a day. you missed that tv station so we will knock that one down. now what are you going to do? it's walking up to the red light and putting a finger over and seeing what happens. engendering trust i think from a government point of view is critical if you want to have a nonstate actors involved. that means private sector and civil society. we saw in the obama administration the last two years there was a big push to go out and encourage effectively both silicon valley well also other actors to be much more supported of the u.s. government efforts in the space. that wasn't by accident. they government also went out of its way to encourage trust with its international partners. president obama gave his famous nsa speech where he announced limitations on the use of -- never been done before. it was very much first in world history and the reason was because they were fully aware of
the fact trust was such an important factor. where i think thinks maybe didn't yet develop was how we communicate cyber capabilities per se when we talk about trust. so for instance, if there's no public definition of what the cyber capabilities are. you can look and find documents but you won't find declassified definitions the different types of cyber operations and exactly what they can do. it's like saying here's a weapons system. we can't tell you if it's a plane, a tank, a submarine, biological weapon but it's there. we might use only might not use. it would be very helpful to have an open transparent discussion on what cyber capabilities are able to do, what is supposed to do and i would encourage public discussion maybe amongst states. that would be helpful to understand what our government capabilities in cyberspace and will also can also forget what basically are, neither is. we do have a common nightmare of
lights going off. even for authoritative machine still be interested in their physical security, we can make it clear this is what we can do to you and we appreciate into the stores. let's figure out for a way that cannot happily spy accident and then we can make a huge step forward. >> to bring this to another case study because we could probably talk about this for even more than we are allotted today, and to send it back to jane, to talk about some of the ransomware attacks. one thing that's interesting but response was the department of homeland secret has been saying this is an example of how a model has worked. the attacks have not hit the is as hard they say because we have such a robust encouragement of our private sector to do the basics come to push up software. there are not as many bootleg versions of things in the u.s. and that type of thing. when we talk about those ransomware attacks, have any best practices emerged? we talk about ransomware attacks
that were not actually ransomware, how does that affect the model for one of your favorite topics, cyber hygiene? >> i think that's right. a couple of things that i think are maybe historically interesting and audits about as our governments have struggled, every single one, everything government have struggled with its role in cyberspace. the key question, how to architect systems we can trust and compose we can't? how to ensure the integrity of information and identity and open internet? what should the role of governments be? and a recent government that is been tackling this problem has had a fight internally between the military intelligence and that community and the rest of that government. you can sort of see who is what. i had set for a long time we can it run cybersecurity as if it's an intelligence program for this
country. we will not be safe. i think governments, the key role of government is to tell us how should we distribute responsibility for cybersecurity in this country? what should my will be as a user come as an investor as a software developer, as a manufacture of hardware? on a big believer as you know in basic cyber hygiene. why isn't government telling s-corps why isn't government telling every enterprise that are for if i think you should be doing that will reduce your vulnerability by was over 80%? pick a number. hardware inventory, you know what is connected to network? software come to know which running or trying to run? permissions control, dino is one which one you run your network who yet given permission to? some people have access information, they have no business having access to and then an automated system in place to all alert you to the proper patches that you need to take expeditiously and are you
patching? people used as the winners and homeland security what keeps you up at night. what's the greatest threat that you see? unpatched on the booze, absolutely. to me with a question. when we get them come have come governments been discharging their role? alex is arguing strongly that they are overplayed their hand, that there's a movement the for government who control the internet. just a question that i host of governments that believe governments ought to be at the heart of who sets the rules, what the rules should be, less access to them, access to get it under what conditions. there are others like the united states and never countries from western europe who believe that in this multi-stakeholder model. why is this so important? in my lifetime the have been for strategic questions that the world has had to confront.
when we confront been successfully we confront them multilaterally. the new multilateralism is multi-stakeholder-ism. governments at the national level may not have this right but asking the mayor you happen to see, it is the only game in town if you want to get things done. they work in multi-stakeholder with the private sector, for-profit, not-for-profit, churches. they are the equal opportunity convener for solving community problems. but those for strategic questions have been in the wake of world war ii how do we save the world on this happening again? what do we have? we had the u.n., nato, a number of multilateral institutions established that flourished. you could argue over that but there established and then got a very long way to answering that question. during the cold war and the potential for nuclear annihilation, again they return to multilateralism. in the post-world war i struggling with these issues, and today we have never said
that answer. so alex maybe really onto something. the new multi-nationalism is multilateral -- multics they called her-ism. >> do you feel like there is a win anywhere in these global ransomware attacks, any lesson that can prepare -- i remember a couple of years ago i was watching a panel, going on about about i could envision a world where we just consider it the cosseting business if we had to pay $20 and been going to to open our refrigerator. or to get into our car. ransomware would be so ubiquitous. i don't think he envisioned it as a weapon and what happens when shuts down hospitals you mention. what are some of the lessons? to the use do something right? did we just get lucky? >> just to come back to the multi-stakeholder . and also how
regulation fits into it, because that's the question. it's important to note countries that support governments support governments, support the multi-stakeholder model include ones that are different views of how the internet generally speaking looks like. they include france, top-down internet which failed and sweden which is probably even more liberal than u.s. in terms of how they envision the intellectual property and the internet itself to be construed. there's a lot of different views among those whose work multi-stakeholder model of them different views on a local regulations should work. that's fine. the point about the stakeholder model is not it handles off anything to use president obama's expression cyberspace is the wild wild west. it doesn't have to be that way. there can be a share, there can be rules. the point is they are agreed within a framework that effectively account for the stakeholders. it's very tiring when you work in international security and a part of international negotiations for nearly eight years and just explain to
diplomats and the generals that it's nice to develop this crisis management function of the hotline telephone or something else but really these actors like information security responders, the security researchers, the white hat actors have that and they're the ones who solve those problems. not 90% of the time but 6 60 or 50% of the time and that's the cyber hygiene issue. if we have requirements that each nation thinks it's important to fulfill then we would effectively drain the swamp little bit. we will effectively lower the level of which sears cyber adversaries can afflict sirs damage. there's two truisms effectively in cyberspace. one of them is effectively 90% of all cyber attacks can be taken care of with good, resilient measures, good cyber protections. that's definitely true because even state adversities will always use the cheapest tool at their disposal.
why should they use the magic tool? on the other hand, a committed attack will always get in and that's not probably going to change because math is a measure the easy cyber attack is a call you up and ask you to give me your information. that's effectively what engine is about. cyber is indeed true. there will be different ways and we won't be able to fix all of them. if we drain the swamp on all this to shocking, all this noise that is happening, then we can deal with more significant issues and that can be done with local regulation or it's not a contradiction. there's an internet, a general body worldwide that says all condit has to obey this particular criteria and one government has a problem with this content, you are obliged to take it down, no questions asked. that's the type of model in which has likely been resistance
apart but it's important amongst different actors, the private sector also engenders trust with the government that they are able to manage themselves a little bit. the european union, they thought effectively google had not done that on some issue that facebook wasn't doing that and they find been a lot of money. so there is no however on both sides of these countries who believe in the multi-cycle to model there is awareness of the practice, of the multi-stakeholder model, this big mass of bodies, also very small bodies have to be engaged with and have to be given their due. it's a question of how we engender trust in that bolcom not necessary always what the model does because i will be up to them. >> back to wannacry to make a topical, i think there are a couple of glimmers of light but information security community i know was a research and i forgot where he was, maybe california was the first to figure out, by
accident, redirected the service, in the uk, redirected the internet and basically stopped wannacry in its tracks over lunch. he was very humble about taking credit for this what have you but it's a good example what the community has been the first to the scene of some of these major situations that it happened. the other glimmer of hope to find in wannacry to me is i was in kosovo when wannacry was happening, and kne news countryn the world, right? kosovo, everyone couldn't stop talking about wannacry as if this was the moment when they could use this to wake up decision-makers about spend in cybersecurity. even though some of these incidents might be in the technical community kind of looked down upon as that was so simple or it wasn't particularly
sophisticated, they had an enormous wake-up call not only on cyber hygiene side but for companies and basic practices, the digital equivalent lock on your door that need to be taken by companies and governments writ large. they can have an enormous effect and just mind sharing mine change. i think that's what this has signified. >> it's funny you talk about the cyber wake-up call. i remember having panels when we talk about the target hack as the cyber wake-up call and it's funny how quite that seems these days and yet the principles that we're talking about haven't really changed. i want to pull a different thread for a moment. one thing that struck me in your opening remarks and has with continued to talk, they seem so old and crochet a scene surrounded is the question of attribution. laura, you sort of reference to this. how important when you talk about responding to what is
information warfare, whether it's ransomware, how important is it to establish who is behind and what their motivations are? and when we're also talking about trust and how many americans still have doubts that are sometimes fed by people that of, it's in their own interest to peoples doubts that russia was behind some of what we saw in 2016? >> this is not only an interesting question but an important one, because the information security industry has really revolved around threats and identifying threats of the threats that opposed to you. one place we haven't got it right, fact some of the college on information security industry will say we have failed. it's that they treat everything a person as what my colleague tony calls a special snowflake. unique threat information that's about you. younique threat information abot you. really? we are all on the same web. we are all encountering 98% of
the same dust. that's what the message of hygiene is so powerful to me. we want to change the game can we need widespread adoption of hygiene. what's the most important invention in his ship and kind? soap. soap, right? the mcculloch said wrong, the commercial soap. it was making it available at retail, retailing soap. your point about we still have this fascination with the upper end, the high yen cyber threats the ninjas. kevin and his group that with the first ones to call out the chinese a number of years ago. i think the trend government of which i was the part we were the last. if hygiene is effective why are we hearing more about it from governments who want to be authoritative on this? because in part, and is preoccupied with the high-end and for a very long time we treat all these problems as a metaphor the intelligence community and you are not
cleared. this is treated as a nuisance and wanted it to go away. if we only knew what the government knew. if we only knew what nsa knew we can protect ourselves. give that information to a what we learn from fireeye and others is is that is good to take a village pick is going to take all of us in the game and people identifying threats but, frankly, i don't -- i say brush her teeth, wash her hands come don't share food. i given the basic hygiene to successfully get through the day which is what most of us need. >> laura, you sort of work for the lead in attributions. countries of your thoughts? >> attributions always going to be the natural question, who did it. it's just part of not just human nature but requirement in response to any of these threats. i think yes, we've been talking about threats. on the defensive standpoint we need to be talking about
hygiene. do you have a sprinkle is more important than what type of -- so yes, that matters in defense but when we talk about international cybersecurity, talking about these bigger questions how do state respond to whatever the incident might be, attributions always going to matter. i think we have come a long way from the days and that's a 2008-2009 when you still throw your hands up and just say attributions going to be the defining creature that the profit for anything to do about cyberspace. there was deathly a desire and we were motivated by a motivation, motivation was to go and figure how to explain this massive data sets we're seeing an intellectual property theft that we are seeing and then put a face and agenda behind it to really explain this? of the goal wasn't attribution
in and of itself. the goal was to get her do something about it or provoke the discussion. attribution as its own desired state isn't really the question. it's what are we doing attribution over to achieve? >> alex will have some thoughts on this and then y'all better have your questions ready as i'm coming to you next. >> the question of attribution has always been a very interesting one. either people were furious about come you're not clearly answer on this. one of my favorite was put out by defense into comics copiers, was flagellin you said he believed in the james bond theory of technological that everything is evident in the james bond movie will happen in reality. and since some of there's a magic black box, in the james bond movie that already exist pick my foot was what we saw and education over the years is
basically tailoring responses to our level of knowledge. we haven't necessarily solve that but we've made great advances. four years the point u.s. government and of the government tried to make it was a response to significant cybertek doesn't have to be cyber. make m we diplomatic, military, economic, something else. that often means you can time delayed, make a reversible, a lot of different sport thinks that, since tell you as possible. that also works at other levels here however when i think we sub pop is communicating even on the aside which is magic attribution capabilities shall we say, what the certain attribution really means. when people say we have a pretty good idea of where high confidence of attribution to a certain country or a certain nation, some people including decision-makers in the u.s. might think that means high probability means like a radar. i can tell you 99.9% probability that missile that was just fired
from north korea is come to the united states and it came from north korea. i don't think that's ever going to be possible in cyberspace depending on what kind of attribution you do. you might get 70 or 80% but if you're sitting on someone's machine and yo use the guy typig something they could still be false flag operation. false live meaning it's fake. somebody else is doing it. they are pretending, they have hacked into the system of and pretending to launch it. it's all theoretically possible. that's why it's important we make the sanctions, the slow, the other waste response that don't involve cyber. ..
something like that happens, they want to believe that they didn't for a couple years. i saw that after the sony attack, information security groups, people who knew better were -- they knew better. after -- it is likely we got that wrong but they are questioning the political circumstances. that is the ultimate warfare. and between the citizenry and the government and the private sector, that is the whole point
of most stakeholders, the bonds that connect them, weakening of that trust is what we shouldn't allow to happen. >> makes me wonder if there is a play left on the table sometimes but i would love to turn it over, those watching online and tweet some questions online. i see familiar faces. >> the working theory is the attack was based on some code or exploit leaks from the nsa in april, given the nature of information that it can be copied or proliferate rapidly do governments have a responsibility to prevent the proliferation of state-level tools? >> sorry, if folks would introduce themselves. >> hunter. >> governments have a
responsibility to protect unauthorized release of tools. >> i would second that and the fact that the us government was involved did not have control, would be international law. you are responsible and have to have 2 have a military action, that would be a key point. >> is that some things that needs to go in not just in terms of we have it but when you think as a government what can we construct? is this worth constructing because of the remote possibility? obviously it did not go the way it was expected. how to think about that at the
front end. >> i won't think about any specific example but a hypothetical level of abstraction. this is not peculiar to cyber terrorism. there are other areas, lawyers go through this. certain things when we do more damage than good. how do we control, what do we think will happen, how do we control the worst effects? the public has a right to expect the government is going through that kind of calculus. for old time sake. >> one point on that side. you think even though the equity problem is ongoing, people always trying to balance out competing interests of constructing a cyberweapon or designing something similar. things partially go wrong, there
was overall emphasis on offense rather than defense. there are many reasons for that, so much easier to do and the sense is it is really expensive, not only simply expensive to do on a political level, not just the financial level. might have to introduce legislation to do this or that, much easier just to draw up offense capabilities in a blackhawk and say we have a deterrence model. the us case there are many legal reasons it is difficult to do, small countries like sweden, the netherlands and switzerland do that. >> which is another reason we need to bring hygiene right to the front. >> it is a relatively straightforward, far less costly to patch on a regular basis and you know what software you allowed to run on your system and have to clean up afterwards.
>> it gets cheaper as things get worse. might have been difficult 70 years ago when we talked about what was relevant whether it is insurance markets or liability. all of these things are not politically possible, now they are increasingly possible with cost decreasing. part of those costs simply should be by themselves to realize how much trouble they can get into, it would not even require that much in the way of government. >> sam metzner was idf at georgetown university. i take your point that some countries are better at cyberdefense but we are larger and don't have the luxury of some of the conditions they do and we have a larger role in global governance. my concern is this. i like the idea of a multi-stakeholder internet which
is really global commerce, a place in which we express this but i think that maybe too self-referential. we have glued it to our electoral system. somebody regards critical infrastructure at the battlefield, they will regard the internet as part of that battlefield. what we may be seeing is an evolving concept of operations, we may not have the luxury of referring to the internet as multi-stakeholder global go global commons that we so much admire. i would like to see sustained. we are looking at other countries that have a different concept of operations, just as germany had a very unpleasant concept of warfare, it redefines warfare in the second world war and other countries had to adopt that concept, we may be forced to do so as well or at least take it into account. i would be curious what we might want to think about in a policy
perspective when we can't define the internet the way we want to end other countries may define it as essentially a battlefield. >> has the governance model already won? >> the fact that other countries see it differently is well taken and i agree with that and many things, the internet has been attached to things it wasn't intended to be attached to, the german covenant refused to consider cyberspace critical infrastructure because you shouldn't put anything critical on it. tough luck. it has happened. what you might be saying is since that happened and we jumped into this unsecured environment should we make it more secure by redesigning it and i would say we don't have to redesign the entire thing. there are little sixes that can make it more secure and that is in part what is happening all the time.
you heard the example of the 29-year-old hacker who found the kill switch on the water cry outbreak and turned off. many other examples. daniel kaminsky found the biggest hole in domain names. these things happen every couple years and brings us a little further down the road but essentially brings us back to the argument that certain supercritical infrastructure we should be thinking differently but this is on the defensive side. there is a reason certain industrial control systems shouldn't be the way they are and shouldn't be allowed to be the way they are right now because it is too dangerous. that is one argument. it doesn't make the argument itself. it is the way they are connected. they have default passwords baked into the hardware that can't be changed.
how much sense does that make. there are similar examples where people have been lackadaisical with their approach to security online. the wrong approach would say rip this thing up, it was built by kids, let's make a new one. that would be a very bad move but i also tried to explain to government officials when they voiced opposition to the stakeholder model that only government should be responsible for this because it is such an essential issue for everyone. government have to be in charge. i go let's play this back. what happens, save as part of the human is responsible for that part of the internet. what happens to people who call attention to it, the web consortium. they have nonstate volunteers who sit down and write this stuff. are you going to take orders from the icu or some other un agency? you will build another internet,
the fact that it was already done, these guys will build the internet, they will build different parts of it and if we tried to design our own internet around these preferences they are going to build one that we don't like at all because it will be completely illegal and it is important to keep the people who built the internet on board because this is a nonstate domain and they are coming in to a domain that was built with different conservations, that won't solve the problem but only make it a lot worse because it will highlight in the range of security issues, you are protecting, tried to protect the powers but you are endangering free speech. >> what is basically right about your question is in this world you can be first, fast or powerful. we are not first and not fast but powerful. when you are powerful it doesn't
matter when you arrive. many people believe government have militarized cybersecurity unlike your phrase we. the infrastructure to the internet. there is no one who doesn't rely on cyberspace and it. we glued our economy to roads, rails and bridging and warfare when you are opposing your adversary takes account of that. the interesting question is will we move to more symbolic and less kinetic warfare because we can do such devastation to an adversary in cyberspace? we have seen preliminary examples that suggest the answer to your question is yes. >> on the side of the room if you can wait for the microphone.
>> i'm mike nelson, i work in public policy, and internet security firm. i have been working in multi-stakeholder processes, i'm excited to hear your full throated support and even more excited about your confidence in innovation but i have seen a lot of multi-stakeholder processes that go off the rails. at the internet engineering task force, some of the efforts i was involved in for y2k we had deadlines, either self-imposed or y2k external. we also had everybody in the room who could veto any solution. the problem with the things you are talking about, making the internet more secure with controls on cyber attacks is we don't have deadlines and we don't have everybody in the room that could veto a solution. i have been to a lot of meetings
of the un, the internet governance forum, you don't see the intelligence community there. you don't hear the cyberwarriors who are off in their own classified space. do you see any global setting, intergovernmental or nongovernmental that could bring enough key players together given the sense of urgency so we might actually get a solution, broad agreement on some kind of approach to answering the questions, >> a solution to which problem? the insecurity of internet overall? >> we were talking a lot earlier about cyberattacks and when it is appropriate to bring down infrastructure. there was talk about cybernorms and doing something to pull governments back using these tools, encryption is another area where it is nice to have global agreement how encryption
will be deployed. probably five or six big hairy problems and no place we will get an answer. >> there are many questions. i describe the book as blind people which is a favorite metaphor to use for professionals, you see different parts, a wall or fan or host, you won't have the architecture, and things even on this panel, talk about critical infrastructure protection issues, and inter-governance issues. these are in government terms different agencies and a whole set of priorities and different things involved. one thing i argue is we need cross ventilation between many different silos. people should not be merged together because there are important jobs including
arms-control people and law enforcement people. everybody has their own jobs to do but are not really aware of what is happening next door and that makes it difficult for response measures or understand the danger of those response measures so the example i gave as part of these norms processes are communication. so i was part of a working group, confidence building measures, it was great, we have online telephone. let's add that to the hotline telephone the us and russia have. another is meridian group and another one is the eu and another one is great so we have five different hotline telephones. which one are you going to pick up first? people were just developing additional mitigation measures without knowing what is out there. people start effectively
trampling all over each other's shoes. the unpleasant fact is it is a complex issue. there are many parts of it like medicine, no one expects medicine or the financial system. we need to understand different components attacked in different ways. the way you were referring to international interstate issues, the weight is described, the outcome is clear that there is a different approach, international security issues and the un first committee, go ahead, talk about international law, application of applied cyber, constitute accountability, that is an important conversation, governments need to have it. second, basket, economic issues
and have that conversation about the internet which is so important, it is great, you can have it right there. perfect if there's context around the convention but talk about exchange mechanisms and not the content. we only agree on how to communicate with each other when we have agreement the conference is illegal. the third basket means governance. about running the infrastructure itself and infrastructure that is not maintained in the private sector. maintained by the community and the approach to this problem, dark configuration exercising controlling interest over all of these and a controlling interest in international security to be responsible, so absolutely they have problems to be solved fair which is involved in the un
discussions. that discussion should happen there and should not involve in my mind internet cost or infrastructure. those should be held in the government department and this model keeps these things different from each other and makes it clear they can't be merged together and can't be compromised. you have seen the stakeholder in action, how things slow down and sometimes take over parts of it. i have seen engineering task force by government and companies at meetings where standards are set and they tried to make new standards a particular topic of interest, they go in and this is the stuff that runs into the future and we own it. what happens?
they go someplace else. one of the guys from the community said people understand it f is not like an organization, doesn't even officially exist, not an official organization. it is a name of the hotel, nothing else, people, something comes over and buys the hotel, the system is very slow and cumbersome and ugly but better than the rest. >> one of the things mentioned in the encryption we are starting to see, commerce and technology is not country by country but global. to once again force you into the private sector, i am curious about your thoughts on this and the notion there is a marketplace that is invested by all of these things that may or may not be watched. let me pick up on one last point, the question of how we
attack this, we can't define this. i get this thrown to me all the time and it is as if we were talking about this domain, something where we have broad expertise on all these issues and there is huge power in categorizing the rabbit hole into how the un is dealing and approaching, cybersecurity is such an enormous field and conceptual areas had the power to say, this is where is a liberal arts majors of the world play in this land. is this something we haven't seen before? is this something that should
fall under our control framework. are there existing mechanisms that have been formed in the last 60 years where people were thinking of the stuff that would serve us well. i always challenge people on the political science degree to say how do i do this? what is the right role? there is a huge translation problem in this space now and they need for bucketing, the technical side, strategic, political policy community can play together to figure out the existing law assigned to it. >> jane had to step away to a commitment that if i may, we have a message from twitter from someone watching in cyberspace so thank you. this is picking up on the theme of the question earlier but in terms of the loss of cyberweapons which i interpret to mean losing control of a weapon that has been developed, to your point do we have an existing framework? how would that be handled under international law? how would it be handled today?
ideally what would you like to see in terms of that issue? >> i'm not in international law. the concept of effective control in cyberweapons is an exciting issue i have been following for a couple years. it is undermined by the fact that we don't have liability laws. you can't sue anyone, how should you be able to sue the us government if they lose control of a cyberweapon. it doesn't work that way because international law is different but fundamentally there is a political commitment. be careful how you use that, interesting example is not only losing control of your software but also when your staff meaning cyberoperators or cyberwarriors do something on their own time, if they do a hack as opposed to a private contract.
this has been the case probably china and russia, governments in both countries said that and this person happens to do that, they do that on their own time. international law is clear on that. if you have a special skill set and working for a government organization and do something knotty, the government is responsible. more difficult when it is about something intangible but there is a political liability. many heads were being scratched. people are very embarrassed about what happened. i hope they are embarrassed enough to be more careful in the future but legally there is very little recourse i am familiar with. >> i am not touching that which it is a huge question. what form you would even try.
it is too big between you and me. >> jonathan nichols on twitter will have to carry that out for another day. probably the last question right here. >> my name is archibald. a way to go, i had a message, the concept of cybersecurity, the solution to this problem. what would be your thought on this? >> that gets to the question of equal contribution but cyberforensics and what role that plays in here, kick us off on that as a veteran. i hate to say it depends on a great question but there are so
many elements involved in attribution but more broadly figuring out how to prevent the type of attack or compromise you have seen, to prescribe a framework that would give that community governments, other players looking at how to handle 4 and 6 would be difficult. that said, a place where government can play a helpful role in reporting around forensics. everyone's version of cyberattack is completely different. you can take computer network attack from country 13, and go under attack and make cyberversion and pick what your choice is. >> the ap stylebook ways in.
>> any level of consistency so that when the british government says x wisely happened in a hospital or the french government comes out after an incident in 15, some level to report that with fidelity, that is how nascent we are in our ability to talk about network incidents. >> how big an issue is classification? we talk about recurring theme of trust, describing what happened, one of the ways, there is doubt about the 2016 election, all that is ever released is top level stuff. you might get some specific ip addresses but there is proprietary information in the private sector, not releaseable
because it reveals the tactics, are we ever going to get to a common sense of forensics when so much stuff is considered -- >> two different ways to approach that. forensic private-sector environment looking at code reversing and piece of code looking at objects, getting the attribution. the capabilities, the less they will rely on that information and instead do what general michael hayden called the many haystack approach. you use that to get probability behind a certain event. a very different approach, who programmed it and what did they
do, so that would be how would government present that information? highly classified sources in international settings. there has been a proposal for a year or two supported by some on the internet, and open debate with attribution, something microsoft was keen on moving forward. there would be some organizations that basically said this government has been a bad boy on cyber. the big question is how do they deal with classified information? nobody has answered that question but the way to answer it is the way it is currently dealt with in the us anyway, the nonproliferation treaty, they constantly get sources of classified intel that are high level and going through this process i don't fully understand whether it is credible or not
but more important, trying to establish metrics and what we mean by certain events. that would be helpful. on the diplomatic side we need to define cyber operation, have a dictionary of terms as something put forward, just like national security, it would be what you wanted to be like pornography, you know it when you see it. it is hard to define but we pushed on a risk-management level and asked those guys in that community in their types of segmentation and classification object and events, types of attack, that might move the dialogue forward and keep it in the technical dimension, not necessarily talking about weaponization. >> we are out of time, those who
are joining in the room, opportunities to continue without the microphone. it is a wonderful panelist, thank you for tuning in. we have many of these and can look forward to stimulating conversations. [inaudible conversations] [inaudible conversations] >> james o'keefe, how did you get started with project veritas? >> guest: i got started at